Endpoint Protection

My company currently uses Symantec Endpoint Protection Client, and it is reporting that we have 119 (and climbing) quarantined cases of Bloodhound.Exploit.289 on one machine. In addition, there are 12 listed under "Newly Infected" and 18 under "Still Infected"--all on the same computer. We have had this problem at least twice before on this machine, despite the fact that we follow the removal guidelines on the Symantec site each time. Does anyone know why this could be happening or have any suggestions? Thanks in advance!

Have you turned off system restore on this computer? It is recommend that you temporarily turn off System Restore.  If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Boot into safe mode and run a Disk Cleanup (right-click the C drive, Properties, Disk Cleanup) - that will delete all the files that are in these temporary locations, as well as IE's temporary files, etc. Perform a full system scan in safe mode.

If this fails to clean the system then try removing the threat using the Norton Power Eraser Tool found within the SEP Support Tool.

Video - https://www-secure.symantec.com/connect/videos/power-eraser-overview

Moving this thread to the Endpoint forum for greater visibility.

Keep us posted on your progress.

Thanks,
Thomas

Excuse me if this is a very basic question, but we are running Windows Server 2003; do you know if System Restore is applicable here? If so, how would I access it?

If this does not apply, I will definitely try booting into safe mode et al. Thank you!

I believe there is no built in System Restore feature in WIndows 2003 Server.

There is no "native" system restore in Server 2003.
Although, one can be 'hijacked' from Windows XP and inserted into the OS, this is very rarily (if ever) done and is too much trouble for it's worth.
* * * * * *
For your original question:
Does anyone know why this could be happening or have any suggestions?
* * * * * *
There are a plethora of posible answers.
Requiring more information.

1st.  Is this a production machine and what is it's role?  I.E. terminal server?
2nd. Does it have access to the internet?
3rd. Who has "install rights" on this machine?  Physical Access? 
4th.  Is it properly patched?

1. This is a terminal server.
2. It does have access to the internet.
3. There are two sysadmins with install rights on this machine. There are a large number of other remote users, but the same sysadmins are the only people who sometimes access it at its console.
4. Patching is done once a month, and was just completed this past Monday.

Please let me know if there is any other information that would help. Thank you for your interest in the problem.

http://www.symantec.com/norton/security_response/writeup.jsp?docid=2010-011102-5409-99

Bloodhound Exploit 289 is generally being exploited via Adobe products.

Unfortunately, because this is a Terminal Server, you will have a multitude of people opening up PDFs, both local and from the web, where this little bugger can be hiding.
Your best option, unfortunately, keep Acrobat and all other Adobe products I.E. Flash, Shockwave, Photoshop, etc.  patched to the latest versions. 
Acrobat Reader oftens has exploits. 
You can keep updating it, every time you have an update/patch release.

Alternatively, you can use another PDF reader and instruct your users to begin using this application, of your choice instead.
We often refer to "Adobe reader" exploits" but does that mean another reader will not be vulnerable?  The answer to that is unknown.
One thing for sure, Adobe has the ressources to patch the vulnerabilities more than a smaller open source competitor, but on the other hand, that open source competitor, may not have the exposure, so would be a less likely target for the efforts of trying to exploit it's code.

Open code, however, does offer a great deal of opportunity to be exploited... 

http://www.securityfocus.com/bid/36665
Here it indicates that Version 9.2 of Adobe Reader is NOT vulnerable to this exploit.

I would suggest you start there.
After cleaning out the infection of course.

Do you have  IPS installed?

Thanks for this. Turns out that this particular server was missing some patches... everything seems to be fine now.